Should the FBI Hack Botnet Victims to Save the Internet?

The internet of things has ushered in a new age of debilitating DDoS attacks. Should the government intervene?

The internet of things has ushered in a new age of debilitating DDoS attacks. Last week, armies of poorly secured, internet-connected cameras controlled by the Mirai malware targeted servers that provide a key service to the web, meaning that many people could not connect to high profile sites such as Twitter or Spotify.

There are a handful of ways that these hordes of hacked devices might be tackled: perhaps governments could regulate the security of devices, or internet service providers could cut off access for certain machines. However, there is another more controversial, but increasingly relevant, way: law enforcement, or specifically the FBI, could hack the devices making up Mirai botnets—many of which are cameras—in order to ultimately disable the malicious network writ large.

"In this case they can, and it's reasonable to do," Nicholas Weaver, senior researcher at the International Computer Science Institute at UC Berkeley, told Motherboard in an email.

Theoretically, the FBI could break back into these cameras, seize control of them from hackers, and then lock them out. The agency could also permanently disable infected devices, or "brick" them.

And the problem of these crazy-powerful botnets is only getting worse, day by day: one hacker publicly released the Mirai malware used to create these networks of machines, and other actors have created their own botnets using that code.

These botnets are putting large chunks of the internet seriously at risk of attack, censorship, or extortion. So why shouldn't law enforcement step in more aggressively?

"Although Mirai is neither persistent nor patches the hole it used to enter the system, a hypothetical 'Mirai 2' easily could do both."

"I would expect the government to exhaust all less intrusive countermeasures before doing something destructive. But this episode illustrates a very serious market failure," Susan Hennessey, a fellow in national security at the Brookings Institution think tank and former National Security Agency attorney, told Motherboard in an email.

"If an internet connected device [is] improperly secured, posing a serious and ongoing threat to others, and there is also no way to make the device safe, then bricking it is an appropriate response, and may be necessary," she added.

Coincidentally, the timing of Mirai's rise runs parallel with a looming change to how the FBI can legally hack computers across the US and in other countries.

In December, changes to Rule 41 of Federal Rules of Criminal Procedure, which regulates when judges can authorize warrants for searches and seizures, will come into effect, unless blocked by Congress. As part of the changes, magistrate judges will be able to greenlight hacking operations outside of their district, including those that target machines belonging to botnet victims.

The Department of Justice actually brings up the example of a botnet as for why the Rule 41 changes are needed, writing that it anticipates seeking a warrant to search for and seize particular information that would provide "further evidence about the scope of the botnet and how the botnet might be dismantled." In other words, the FBI might hack your computers or devices as a means to an end for taking down a botnet.

Recently, computer scientists raised concerns that hacking botnets could harm victim machines, and that, when searching those swept into a particularly large botnet, "there almost certainly will be problems on some of them."

But in the case of Mirai, we are not talking about personal computers, but cheap, internet-connected cameras. Does that make the idea of hacking them any more palatable?

"A bit more, in that there's less personal data—but do people want the FBI to control their cameras?" Steve Bellovin, a computer scientist from Columbia University, and one of the researchers who penned comments against the Rule 41 changes, told Motherboard in an email.

There is another issue with the FBI hacking Mirai victims: it's not going to stop the arms race of internet of things botnets, only slow down this current iteration.

"This is not robust," Weaver from UC Berkeley added. "Although Mirai is neither persistent nor patches the hole it used to enter the system, a hypothetical 'Mirai 2' easily could do both," he wrote.

The FBI did not answer a specific question as to whether it would consider hacking botnet victims.

But, in the meantime, actors capable of disabling large swaths of the internet, including sites like Twitter that people use to communicate, and journalists' websites that spread important news, are currently free to do so. The situation is bleak, and dire.

"If society begins to perceive people as failing in that responsibility in a way that harms others—or outsourcing the cost by buying cheap and insecure products—then we may cease to think about botnet 'victims' as victims at all. And that will have a significant impact on what we perceive as appropriate law enforcement activity," Hennessey said.